What is Identity DNS?

Identity DNS is VeilNet's decentralized DNS service that enables you to address Conflux instances using human-readable DNS names instead of IP addresses. Unlike traditional DNS systems that rely on centralized registries, Identity DNS operates entirely within VeilNet's Anchor Protocol control plane, providing enhanced security, privacy, and resilience.

Key Features

Decentralized Architecture

Identity DNS does not require a centralized DNS registry. Instead, DNS name resolution is handled directly by the Anchor Protocol's control plane, which means:

• No single point of failure: DNS resolution is distributed across the VeilNet network
• No external dependencies: No reliance on external DNS servers or registries
• Self-organizing: DNS records are propagated through the same secure control channel used for network coordination

Secure by Design

Because Identity DNS operates within the Anchor Protocol control plane, it inherits all of Anchor's security properties:

• Post-quantum cryptography: All DNS queries and responses are encrypted using Kyber KEM and Dilithium DSA
• No plaintext metadata: DNS queries don't expose identifying information to external observers
• Packet Level Authentication: DNS resolution is subject to the same PLA (Packet Level Authentication) as all VeilNet traffic
• Team-based access control: DNS names can be restricted to specific teams, ensuring only authorized users can resolve them

Load Balancing and Service Discovery

Identity DNS enables powerful networking capabilities:

• Load balancing: Map a single DNS name to multiple Conflux instances, automatically distributing traffic
• Service discovery: Use meaningful DNS names to identify services and resources across your network
• High availability: Automatically route to available instances when others become unavailable
• Multi-region support: Seamlessly balance traffic across Conflux instances in different regions

How It Works

1. DNS Name Registration: Conflux instances register their DNS names through the Anchor Protocol control plane
2. Distributed Resolution: DNS queries are resolved through the same secure control channel used for network coordination
3. Team-Based Access: DNS resolution respects team memberships and access control policies
4. Automatic Updates: DNS records are automatically updated as Conflux instances join, leave, or change state

Benefits Over Traditional DNS

Use Cases

• Microservices: Use DNS names to address services across your distributed infrastructure
• Multi-region deployments: Balance traffic across regions using a single DNS name
• Development environments: Use descriptive names like dev-database.veilnet instead of IP addresses
• High availability: Automatically route to healthy instances when others fail
• Team collaboration: Share services using team-scoped DNS names

Security Advantages

Identity DNS provides significant security advantages over traditional DNS:

1. No DNS hijacking risk: Since resolution happens within the secure Anchor Protocol, there's no risk of DNS spoofing or hijacking
2. Encrypted queries: All DNS queries are encrypted end-to-end, preventing eavesdropping
3. Access control: DNS names can be restricted to specific teams, preventing unauthorized discovery
4. No external exposure: DNS queries never leave the VeilNet network, reducing attack surface